ASP.NET Session and Cookies in Multi-tenant application_问答_开发者

ASP.NET Session and Cookies in Multi-tenant application

开发者 https://www.devze.com 2023-02-20 12:39 出处：网络

I\'m working on a multi-tenant ASP.NET MVC application. So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).

I'm working on a multi-tenant ASP.NET MVC application.

So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).

However, we will need to use TempData (uses Session) and set authentication cookies.

Our spec:

A tenant can have multiple urls (tenant1.myapp.com or mycustomdomain.com)
Authentication cookies should NOT be shared by tenants
Ideally, a tenant's authentication cookie should be shared by any one of their urls

Is Session domain aware? It seems to be.

Can I set multiple domains on an auth开发者_Go百科entication cookie?

Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I've partitioned the file system, database and cache per tenant).

Thanks

Ben

Is Session domain aware?

By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won't share session.

Can I set multiple domains on an authentication cookie?

No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the domain attribute to the top level domain in the <forms> tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.

you may want to look into Session Partitioning.

<configuration>
    <system.web>
        <sessionState 
            mode="StateServer" 
            partitionResolverType=
                "IndustryStrengthSessionState.PartitionResolver" />
    </system.web>
</configuration>

But I don't believe you can share sessions across domains out of the box. You will likely need to add custom session synchronization, where each domains session is linked by a custom algorithm to the same user/tenant etc.